Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sécurisation au niveau 2 pour certains matériels Cisco

Published byLena Amundsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Sécurisation au niveau 2 pour certains matériels Cisco"— Presentation transcript:

1 Sécurisation au niveau 2 pour certains matériels Cisco

2 BPDU Guard Bridge Protocol Data Unit
Utilisés par switches pour dialoguer entre eux pour établir l’arbre via STP Eviter d’écrouler un réseau en rajoutant un switch mal configuré dans une instannce de spanning tree Eviter du détournement de trafic (root bridge)

3 IP Source guard Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well. Switch(config-if)# ip verify source vlan dhcp-snooping But be careful! If the DHCP table doesn't have an association for this port, you've just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information.

4 Port Security To apply MAC address security, you must turn it on, then configure appropriate options: !Set explicit access mode (dynamic or trunk ports can't have security) Switch(config-if)# switchport mode access !Enable port-security Switch(config-if)# switchport port-security !Specify how many MAC addresses can be used: Switch(config-if)# switchport port-security maximum 1 !Action to take when a violation happens: Switch(config-if)# switchport port-security violation {restrict | shutdown

5 C'est quoi CIST ? Catalyst Integrated Security Toolkit
Ca contient 3 features de sécurite: DHCP Snooping Dynamic ARP Inspection IP Source Guard

6 DHCP snooping Your target: stop untrusted devices from acting as a DHCP server is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2. The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS

7 Enable DHCP Snooping ciscoswitch(config)# ip dhcp snooping Enable DHCP Snooping on VLANs DHCP snooping can be enabled on one or more VLANs or a range of VLANs ciscoswitch(config)# ip dhcp snooping vlan number 100 The above enables dhcp snooping on VLAN 100 To enable on more VLANs ciscoswitch(config)# ip dhcp snooping vlan number where the DHCP snooping is enabled on VLAN 10-15, 100 and 110 Enable DHCP Option 82 This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046 ciscoswitch(config)# ip dhcp snooping information option

8 Configure Trust Interface
Interface not explcicitly configured as a trust interface is treated as an untrusted interface. ciscoswitch(config)# interface fa0/0 ciscoswitch(config-if)# ip dhcp snooping trust DHCP Snooping Rate limiting (optional) Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive ciscoswitch(config-if)# ip dhcp snooping limit rate 202 Where "202" indicates that the interface can receive "202" messages per second This should configure DHCP Snooping on Cisco IOS switches. Display DHCP Snooping ciscoswitch# show ip dhcp snooping DHCP Snooping is configured on the following VLANs:     Insertion of option 82 information is enabled. Interface           Trusted        Rate limit (pps) ———           ——-        —————- FastEthernet2/1     yes            10 FastEthernet2/2     yes            none FastEthernet3/1     no             20 Display DHCP Snooping Binding Table ciscoswitch# show ip dhcp snooping binding MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface ———–     ———–     —————-     —–       —–     ————           1600                 dynamic     100       FastEthernet2/1

9 !Turn on snooping for the entire switch: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan [number or range] !Our DCHP server: Switch(config)# interface GigabitEthernet 5/1 Switch(config-if)# ip dhcp snooping trust !An untrusted client (not a required step): Switch(config-if)# interface FastEthernet 2/1 Switch(config-if)# ip dhcp snooping limit rate 10 ! a port is configured as trusted Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3 Switch(config-if-range)# ip dhcp snooping trust

10 Dynamic ARP Inspection
Validates Address Resolution Protocol (ARP) packets in a network Allows to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings To prevent ARP poisoning attacks Also against DHCP pool leases starvations Protects the network from certain "man-in-the-middle" attacks E.g. Cain & Abel

11 How it works ? by intercepting all ARP requests and responses
Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped. Gratuituous ARP ?

12 How it works ? DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database. This database is built at runtime by DHCP snooping, provided that it is enabled on the VLANs an DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to prevent a denial of service attackd on the switch in question

Download ppt "Sécurisation au niveau 2 pour certains matériels Cisco"

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.

Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
Neutering Ettercap in Cisco Switched Networks For fun and Profit.

Neutering Ettercap in Cisco Switched Networks For fun and Profit.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Securing the Local Area Network

Securing the Local Area Network
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Secure LAN Switching Layer 2 security Introduction Port-level controls

Secure LAN Switching Layer 2 security Introduction Port-level controls
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
IEEE 802.1q - VLANs Nick Poorman.

IEEE 802.1q - VLANs Nick Poorman.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Similar presentations

Ads by Google